Filter
Top Products
35-21
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 35 Getting Started with IPS Configuration
Identifying an NTP Server
• RADIUS NAS ID—The Network Access ID, which identifies the service requesting authentication.
The value can be no NAS-ID, cisco-ips, or a NAS-ID already configured on the RADIUS server. The
default is cisco-ips.
• Enable Local Fallback—Whether you want to fall back to local user account authentication if all
RADIUS servers are unavailable. This option is selected by default. Note that local authentication
is not attempted if the RADIUS server responds negatively to the logon attempt; local authentication
is tried only if no response is received from the RADIUS server.
• Default User Role—The role to assign to users who do not have a role assigned in the RADIUS
server. You can make Viewer, Operator, or Administrator the default roles, but not Service; select
Unspecified to assign no default role (this is the default). For an explanation of user roles, see
Understanding IPS User Roles, page 35-13.
Note User role configuration is very important. If you do not assign a role to the user, either
through the default user role or in the RADIUS server, the sensor prevents user login
even if the RADIUS server accepted the username and password.
To assign roles specifically to users on the RADIUS server, you configure the Accept Message for
those accounts as either ips-role=administrator, ips-role=operator, ips-role=viewer, or
ips-role=service. You configure the Accept Message individually for each user account. An example
of a Reply attribute for a given user could be configured to return “Hello <user> your
ips-role=operator.”
If you configure a service account in the RADIUS server, you must also configure an identical
service account locally on the device. For service accounts, both the RADIUS and Local accounts
are checked during login.
Identifying an NTP Server
Use the NTP policy to configure a Network Time Protocol (NTP) server as the time source for the IPS
device. Using NTP helps ensure synchronized time among your network devices, which can aid event
analysis. NTP is the recommended way to configure time settings on an IPS device.
For detailed information on how to set the time on a sensor, including how to set up a Cisco IOS router
as an NTP server, refer to Configuring Time in Configuring the Cisco Intrusion Prevention System
Sensor Using the Command Line Interface Version 7.0.
Tip Check the time on your IPS sensor if you are having trouble updating your IPS software. If the time on
the sensor is ahead of the time on the associated certificate, the certificate is rejected, and the sensor
software update fails.
Step 1 Do one of the following to open the NTP policy:
• (Device view) Select Platform > Device Admin > Server Access > NTP from the Policy selector.
• (Policy view) Select IPS > Platform > Device Admin > Server Access > NTP, then select an
existing policy or create a new one.